Circle
attendance
timesheet
payroll
screen

Schedule 1

Data Processing Agreement

Forming part of, and incorporated by reference into, the Terms and Conditions of Service between Megamax Services Pvt. Ltd. and the Customer (the “Agreement”), this Data Processing Agreement (the “DPA”) is entered into between Megamax Services Pvt. Ltd. (“Megamax”, “Processor”) and the Customer that has accepted the Terms and Conditions of Service governing the Kasturi HR Platform, and is incorporated into and forms an integral part of the Agreement as Schedule 1. Capitalised terms not defined in this DPA have the meaning given to them in the Agreement or, failing that, in the Privacy Policy.

This DPA governs Megamax’s Processing of Customer Personal Data solely as Processor on behalf of the Customer as Controller / Data Fiduciary, subject always to the Agreement, this DPA, and Applicable Data Protection Laws.

Relationship with the Agreement and the Privacy Policy. This DPA, the Agreement, and Megamax’s Privacy Policy together form a single suite of documents governing the Platform. The Privacy Policy describes, for the benefit of Data Subjects and Data Principals, how Megamax handles personal data in both its Data Fiduciary/Controller capacity (Section 1.3 of the Privacy Policy) and its Data Processor capacity; this DPA is the operative contractual instrument as between Megamax and the Customer governing the latter capacity and shall prevail over the Privacy Policy in the event of any inconsistency concerning the terms of Processing. As between this DPA and the Agreement, Clause 13 (Precedence) below applies.

Acceptance and Effectiveness. This DPA becomes effective on the date the Customer first accepts the Agreement online, subscribes to the Kasturi HR Platform, or accesses or uses the Services after being presented with this DPA. By such act, the Customer acknowledges that it has read, understood, and agreed to be bound by this DPA, and no separate signature is required.

1. Definitions

1.1 "Applicable Data Protection Laws" means the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 and rules made thereunder, including the SPDI Rules, 2011, and, where applicable to Data Subjects located in the EEA or UK, the GDPR and UK GDPR, in each case as amended from time to time.

1.2 "Controller"/"Data Fiduciary" means the Customer.

1.3 "Processor"/"Data Processor" means Megamax.

1.4 "Customer Personal Data" means Personal Data comprised in Customer Data that is Processed by Megamax on behalf of the Customer in connection with the Services, as further described in Annex 1. For clarity, Customer Personal Data excludes any personal data of children (individuals below 18 years of age, or the applicable age of majority) save to the extent any such data is inadvertently uploaded by the Customer in breach of Clause 5.2 of the Agreement; the Customer's obligations in that respect are unaffected by this DPA.

1.5 "Data Subject" means an identified or identifiable natural person, and includes a "Data Principal" as defined under the DPDP Act, 2023.

1.6 "Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, transfer, restriction, erasure, or destruction.

1.7 "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.

1.8 "Sub-processor" means any third party engaged by Megamax to Process Customer Personal Data on Megamax’s behalf in connection with the Services.

1.9 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, and, where the transfer involves Data Subjects located in the UK, the UK International Data Transfer Addendum (“UK IDTA”) issued by the UK Information Commissioner’s Office, in each case as incorporated by reference under Clause 8.

2. Roles and Allocation

2.1 The Customer is the Controller / Data Fiduciary and Megamax is the Processor in respect of Customer Personal Data Processed through the Platform.

2.2 Megamax shall Process Customer Personal Data only as a Processor and not as a Controller / Data Fiduciary, except to the limited extent Megamax determines the purposes and means of processing for its own account, such as billing, account administration, fraud prevention, security, compliance, or other internal business records. For clarity, and consistent with Section 1.3 of the Privacy Policy, Megamax acts as Data Fiduciary/Controller — not Processor — in respect of website visitors, direct registrants, newsletter subscribers, demo attendees, and job applicants; this DPA does not apply to Megamax’s Processing of such data, which is governed solely by the Privacy Policy.

2.3 Each Party shall comply with its respective obligations under Applicable Data Protection Laws. The Customer remains solely responsible for the lawfulness, accuracy, quality, and instructions for Customer Personal Data, including obtaining any necessary notices, consents, authorisations, and rights to share such data with Megamax, consistent with Clause 5.2 of the Agreement.

3. Instructions

3.1 Megamax shall Process Customer Personal Data only:

  1. in accordance with the Customer’s documented instructions, including those set out in the Agreement, this DPA, the Customer’s configuration of the Platform, and any written instructions agreed by the Parties; and
  2. as required by Applicable Data Protection Laws, provided that Megamax shall, to the extent legally permitted, use reasonable efforts to notify the Customer before such Processing.

3.2 The Customer acknowledges that it is solely responsible for ensuring that its instructions are lawful and that its use of the Services complies with Applicable Data Protection Laws.

3.3 Megamax may suspend Processing or seek clarification where an instruction, in its reasonable opinion, could infringe Applicable Data Protection Laws or materially increase Megamax’s operational, security, or legal risk. Megamax shall not be liable for delays caused by such suspension or clarification request.

4. Confidentiality

Megamax shall ensure that personnel authorised to Process Customer Personal Data are subject to confidentiality obligations and receive training appropriate to their roles. Megamax may satisfy this obligation through contractual, policy-based, or statutory confidentiality controls, including the obligations of confidentiality set out in Clause 10 of the Agreement.

5. Security

5.1 Megamax shall implement and maintain commercially reasonable technical and organisational measures designed to protect Customer Personal Data against unauthorised access, loss, misuse, alteration, or destruction, taking into account the nature of the Services and the risks presented by the Processing, consistent with the security measures described in Clause 10.4 of the Agreement and Section 8 of the Privacy Policy.

5.2 Such measures include, as applicable: end-to-end encryption for payroll, financial, and other sensitive personal data in transit and at rest (as further described in Section 8 of the Privacy Policy); access controls; logging; network security controls; vulnerability management; incident response procedures; and periodic testing.

5.3 Megamax may update, modify, or replace its security measures from time to time, provided that the overall security posture is not materially reduced.

5.4 The Customer remains responsible for maintaining appropriate security in its own systems, credentials, devices, and user access controls, consistent with Clause 10.5 of the Agreement.

6. Sub-processing

6.1 General authorisation. The Customer provides Megamax with a general authorisation to engage Sub-processors.

6.2 List of Sub-processors. Megamax shall maintain a current list of Sub-processors at https://kasturihr.com/sub-processors, consistent with Annex 2 and Clause 8.4 of the Agreement.

6.3 Notice of changes. Megamax shall provide the Customer with at least 30 days’ prior written notice before appointing a new Sub-processor that will materially Process Customer Personal Data, consistent with Clause 8.4 of the Agreement. If prior notice of a non-material change is not reasonably practicable, notice may be provided after appointment.

6.4 Objection. The Customer may object to a new Sub-processor only on the basis of documented evidence of a specific and demonstrable risk of non-compliance with Applicable Data Protection Laws, consistent with Clause 8.4 of the Agreement. Objections based on commercial preference, competitive concerns, or general dissatisfaction do not constitute valid grounds. If the Parties cannot resolve the objection within 30 days, Megamax may, at its option:

  1. continue providing the Services without using that Sub-processor where commercially and technically feasible;
  2. implement alternative measures; or
  3. terminate the affected Services on 14 days’ written notice if the new Sub-processor is reasonably required to provide the Services, in which case no refund of prepaid fees shall be issued, consistent with Clause 8.4 of the Agreement.

6.5 Flow-down. Megamax shall impose written obligations on Sub-processors that are materially consistent with Megamax’s obligations under this DPA, subject to the nature of the sub-processing services.

6.6 Liability. Megamax shall remain liable to the Customer for Sub-processor acts and omissions only to the extent caused by Megamax’s failure to exercise reasonable care in selecting and instructing such Sub-processor, except where mandatory law requires otherwise.

7. Assistance

7.1 Data subject requests. Taking into account the nature of the Processing, Megamax shall provide reasonable assistance to the Customer to respond to Data Subject requests to the extent such requests relate to Customer Personal Data in Megamax’s possession and the request can be fulfilled through standard functionality or reasonable administrative effort. Megamax is not required to verify the identity, validity, or merits of any request. Consistent with Clause 5.4 of the Agreement, Data Subjects must direct rights requests to the Customer in the first instance, and Megamax shall implement the Customer’s resulting instructions.

7.2 DPIAs and consultations. Megamax shall provide reasonable assistance in connection with any data protection impact assessment or prior consultation, only to the extent required by Applicable Data Protection Laws and only where the Customer reimburses Megamax for any material additional costs or resources incurred.

7.3 Audits. Megamax shall make available information reasonably necessary to demonstrate compliance with this DPA, which may include current policies, certifications, summaries, or audit reports at Megamax’s election. Any on-site audit:

  1. requires at least 30 days’ prior written notice;
  2. may occur no more than once in any 12-month period;
  3. must be limited in scope, conducted during business hours, and not unreasonably disrupt Megamax’s business; and
  4. shall be at the Customer’s cost, including Megamax’s reasonable time, security, and administrative expenses.

Megamax may satisfy an audit request by providing a third-party certification, independent report, or questionnaire response in lieu of an on-site inspection.

Cross-Border Transfers

8.1 India data. Megamax shall process and store Customer Personal Data of Data Subjects located in India in India, consistent with the data localisation commitment in Section 7 of the Privacy Policy, unless otherwise required for support, backup, disaster recovery, security, or service delivery purposes, in which case Megamax may transfer such data subject to Applicable Data Protection Laws and reasonable security safeguards.

8.2 EEA/UK data. Consistent with Section 7 of the Privacy Policy, Customer Personal Data of Data Subjects located in the EEA is, so far as possible, retained within the EEA. Where Customer Personal Data of Data Subjects located in the EEA or UK is nonetheless transferred outside the EEA/UK respectively, the transfer shall be subject to (a) the EU Standard Contractual Clauses, in the case of a transfer originating in the EEA, or (b) the UK IDTA, in the case of a transfer originating in the UK, or, in either case, another valid transfer mechanism recognised under the GDPR or UK GDPR as applicable.

8.3 Other safeguards. Without limiting Clauses 8.1 and 8.2, Megamax shall, consistent with Section 7 of the Privacy Policy, take reasonable steps to confirm that any recipient jurisdiction provides a standard of data protection equivalent to Indian law, and shall comply with any government-notified restrictions on cross-border data flows under the DPDP Act, 2023.

9. Return and Deletion

9.1 Export during term. The Customer may export Customer Personal Data using the Platform’s standard export tools during the term, subject to technical limitations and the Customer’s subscription plan.

9.2 Post termination export. Upon termination or expiry, Megamax shall make Customer Personal Data available for export in a structured, machine-readable format within 30 days of termination or the Customer’s written request (whichever is earlier), consistent with Clause 12.4 of the Agreement, provided the Customer requests export in writing within 30 days of termination.

9.3 Deletion. Following the export period, Megamax shall delete Customer Personal Data from active systems within a commercially reasonable period and from backups in accordance with its standard backup cycle. Megamax may retain data to the extent required by law, dispute preservation, fraud prevention, security, or internal compliance purposes, consistent with Section 9 of the Privacy Policy.

10. Breach Notification

10.1 Megamax shall notify the Customer’s designated contact without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, consistent with Clause 10.6 of the Agreement, providing the details required to enable the Customer to meet its own notification obligations under Applicable Data Protection Laws.

10.2 Megamax’s notification shall include information reasonably available at the time and may be provided in phases where complete information is not available within the 72-hour period.

10.3 The Customer, as Data Fiduciary, is solely responsible for all notifications to Data Subjects, the Data Protection Board of India, or other regulators or authorities, consistent with Clause 10.6 of the Agreement, and Megamax shall provide reasonable cooperation at the Customer’s cost where material effort is required.

11. Liability

11.1 Except for liability that cannot lawfully be excluded, Megamax’s aggregate liability arising out of or in connection with this DPA shall be subject to the limitation of liability set out in Clause 14.4 of the Agreement, subject to the exceptions in Clause 14.5 of the Agreement (which include Megamax’s liability for a Personal Data Breach caused by Megamax’s failure to comply with its obligations as Data Processor under this DPA).

11.2 Megamax shall not be liable for any claim arising from:

  1. instructions or configurations supplied by the Customer;
  2. unlawful or excessive data collection by the Customer;
  3. the Customer’s failure to provide lawful notices or obtain required consents;
  4. acts or omissions of the Customer’s users; or
  5. force majeure, third-party outages, or events outside Megamax’s reasonable control.

11.3 Any indemnity obligations of the Customer under Clauses 5.5 and 15.1 of the Agreement shall apply to claims arising from the Customer’s breach of this DPA, Applicable Data Protection Laws, or infringement of third-party rights caused by the Customer’s data or instructions.

12. Term

This DPA remains in effect for so long as Megamax Processes Customer Personal Data under the Agreement. Clauses relating to confidentiality, security, return/deletion, liability, and any accrued payment obligations survive termination, consistent with Clause 12.6 of the Agreement.

13. Precedence

As between the Agreement and this DPA, the Agreement governs generally; however, in the specific event of a conflict between this DPA and the Agreement concerning the terms of Megamax’s Processing of Customer Personal Data as Data Processor (including the scope of Processing, sub-processing, security measures, breach notification, cross-border transfers, or return/deletion of Customer Personal Data), this DPA shall prevail as the more specific instrument on that subject matter, consistent with Clause 5.1 of the Agreement (which provides that Megamax’s obligations as Data Processor are governed exclusively by this DPA). This is a narrow carve-out and does not otherwise displace the Agreement’s general order of precedence. In the event of conflict between this DPA and the SCCs or the UK IDTA, the SCCs or UK IDTA (as applicable) shall prevail only to the extent required for the transfer they govern.

Annex 1 - Details of Processing

Particular Details
Category of Data Subjects The Customer’s Authorised Users, employees, contractors, job applicants, and other individuals whose data the Customer uploads to the Platform. For the avoidance of doubt, this category excludes children (individuals below 18 years of age), consistent with Section 11 of the Privacy Policy and Clause 2.3 of the Agreement, save to the extent inadvertently uploaded by the Customer in breach of its obligations.
Categories of Personal Data Identity and contact data (name, employee ID, work email, mobile number, date of birth, gender, nationality, residential and office address); employment data (designation, department, reporting line, contract type, working hours, attendance, leave records); compensation data (salary, payroll data, bank account details, PAN); statutory data (PF/EPFO, ESI numbers); performance data (KPIs, appraisal and evaluation history); training records and professional qualifications; engagement survey responses; disciplinary records and emergency contact information; and, where enabled by the Customer, biometric attendance data, health or medical information, and other Sensitive Personal Data or Information (SPDI), all as further described in Sections 2.2 and 2.7 of the Privacy Policy.
Nature and Purpose of Processing Provision of the cloud-based HRMS Services, including payroll processing, leave and attendance management, performance management, employee engagement, geo-tracking attendance (where opted in), and related Platform functionality, strictly as instructed by the Customer and as described in Section 4 of the Privacy Policy.
Duration of Processing For the term of the Agreement and the post-termination retention/export period set out in Clause 9 of this DPA and Section 9 of the Privacy Policy.
Frequency of Processing Continuous, for the duration of the Customer’s active use of the Platform.

Annex 2 - Approved Sub-processors

Sub-processor Function Location of Processing
Microsoft Azure (India region) Cloud hosting and infrastructure India (primary)
Approved Sub-processors listed at kasturihr.com/sub-processors Supporting infrastructure, analytics, and integration services as published and updated by Megamax from time to time As specified in the published list

Annex 3 - Standard Contractual Clauses and UK IDTA

3.1 EU Standard Contractual Clauses. Where Clause 8.2 of this DPA applies to a transfer originating in the EEA, the EU Standard Contractual Clauses (Module 2: Controller to Processor, as adopted by European Commission Implementing Decision (EU) 2021/914) are incorporated by reference, with the Customer as “data exporter” and Megamax as “data importer”, and with Annexes I and II of those clauses populated by reference to Annex 1 and Annex 2 of this DPA respectively.

3.2 UK International Data Transfer Addendum. Where Clause 8.2 of this DPA applies to a transfer originating in the UK, the UK IDTA issued by the UK Information Commissioner’s Office is incorporated by reference, as appended to the EU Standard Contractual Clauses referenced in Clause 3.1 above, with the Customer as “Data Exporter” and Megamax as “Data Importer”, populated by reference to Annex 1 and Annex 2 of this DPA.

3.3 Execution on request. The Parties shall execute the SCCs and/or UK IDTA as a separate signed document upon the Customer’s written request where required for the Customer’s own compliance documentation.

Want a Practical Demo?

Witness how Kasturi saves you time, simplifies complex operations, and automates the HR workflow.

It’s the right HRMS for you!

We understand complex HR processes. You need not worry, just smartly reduce your workload.

Privacy Policy Terms & Conditions Acceptable Use Policy Cookie Policy Data Processing Agreement